Prague 3 Municipal District Authority
The Municipal District of Prague 3 is located east of the city centre and its territory comprises the Prague quarter of Žižkov and a part of the quarter of Královské Vinohrady. The Prague 3 Municipal District Authority acts as the local government of the district, property manager and it exercises delegated powers in the area of state administration.
Call for Proposals
The IT Department at the Prague 3 Municipal District Authority manages the information system operated by the organisation – a variety of database systems and applications supporting the activities of the Authority and its computer network. The managed assets include more than 300 computers, 40 virtual servers with mostly Windows OS, 30 switches, and other devices.
The applications are used primarily to support the exercise of state administration and local government powers. The entire IT system communicates with other IT systems operated by state administration. For example, it is integrated with the National Registers IS and with the Databox IS.
All of the applications, systems, and devices generate logs. The logs were stored locally on individual devices and it was not possible to correlate or archive them. Only the logs generated by network devices were stored in HP Intelligent Management Center, a solution for log management and monitoring.
Although the Prague 3 Municipal District Authority is not yet obliged
to comply with provisions of the Act on Cyber Security No. 181/2014 Coll., the IT Department of the organisation is trying to proceed in accordance with this Act and also the provisions of the Authority‘s Security Policy refer to it. The Security Policy has been drafted in compliance with Act No. 365/2000 Coll., on public administration information systems, and also with ISO 27001:2005. Section 21 of the Cyber Security Decree implementing the Act requires “tools for recording the activities of critical information infrastructure and important information systems, their users and administrators”. Section 23 requires “a tool to collect and assess information about cyber security events”.
A need for a centralised logs repository was thus necessitated not only by the operational considerations, but also by legislative requirements and by requirements defined by the Security Policy.
The Solution – why LOGmanager?
The challenge that the solution was required to meet was providing a centralised logs repository with sufficient capacity and appropriate assessment tools. A number of very sophisticated SIEM tools provided by major vendors (ARCSight and QRadar) on one hand and low-cost tools built on Open Source solutions (Splunk, Nagios) on the other hand were considered.
LOGmanager became the happy medium among the offered solutions. By its performance measured according to the number of received EPS, it by far exceeded established SIEM systems. It measured up to other solutions in terms of functionalities for analysis, reporting and alerting. An important consideration when choosing a solution was also the licensing model offered – the LOGmanager licensing is not based on the number of devices or the number of events per second.
When considering LOGmanager versus low-cost open source systems offered by the competitors, the decisive argument was that LOGmanager is a debugged comprehensive solution with a single administration interface providing a host of functionalities not offered by the open source solutions. Another important fact is that LOGmanager is not run in a virtualised environment, but as a stand-alone server instead.
When a virtualisation server fails, the log management stays in operation, logs do not get lost and the reasons that caused the hypervisor to crash can be analysed. At the same time, it offers a high level of security of the stored data – all data is stored on a RAID6 disk array with an accelerated hardware controller. From a security point of view, it is crucial that the administrator is not able to delete stored data.
One of the key requirements was the ability to collect logs from Windows workstations and servers, preferably with a possibility to filter the received events. This requirement was met by LOGmanager, again without the need of a special license. In addition, LOGmanager offered a special bonus feature – translation of Windows error codes into a form comprehensible to humans, i.e. providing the error message instead of only the error code.
One of the arguments decisive for choosing LOGmanager was also the fact that LOGmanager has ISO 27001:2005 certification.
LOGmanager is a system for centralised logmanagement of events and logs from all active network elements, security devices, operating systems and application software. It is a tool based on a new type of scalable database and a high-performance system for searching and presentation of search results. It collects all relevant events and logs in an organisation storing them in a secured centralised repository with pre-defined retention allowing to search over extremely large volumes of data in real time. Search results are presented in text and graphic form offering extensive interactive features for further processing.
The system also supports long-term storage of data ensuring its integrity and compliance with regulatory, forensic analysis and security audit requirements.
However, by its design the system is not intended only as a system for corporate IT security departments. The system will provide great benefits also to operational facilities for which it allows, by a simple interaction with the events database, to identify causes of system failures, identify possible faults and quickly find events describing the causes of a specific problem, loss of data or communication.
The system includes Windows Event Sender – a client for workstations and servers. The client is centrally managed and it enables collecting of logs from Windows operating systems. The logs can be filtered and the codes contained in the logs translated into a form comprehensible to humans.
The selected solution, LOGmanager, fully meets the requirements placed on a centralized data repository and a tool for the evaluation of logs. The great advantage of the selected solution is its event processing performance and log storage capacity. The system has been in operation for nearly two years and, at the current volume of received logs, the system’s capacity will be sufficient for another 5 years. This is sufficient time for storing the logs without having to deal with retention issues. It is also important that the system can be managed over a unified administration interface and uses an elaborate system of access rights. The essential consideration when making the decision has also been the fact that the system is not operated as a virtual machine and is thus not dependent on other systems.
THE SYSTEM’S ANALYTICAL CAPABILITIES WERE USED FOR EXAMPLE FOR:
> Auditing user access to information systems
> Auditing the starting and stopping of processes in Windows and for application usage monitoring
> Analysing network traffic and configuring FW rules
> Monitoring user Internet behaviour and providing easy to follow reports from FW Webfilter
> Monitoring communication with external entities
> Monitoring and troubleshooting communication problems on integration bridges between information systems
> Addressing labour law issues – user activity
> Monitoring user activities on visitor WiFi and generating statistics reports
> Identifying unwanted services running on computers – failed or incomplete uninstallation
The IT Department also uses the feature allowing to send alerts upon administrator or vendor logon in connection with administration of security devices – firewall and IPS. They also use the functionality allowing to access application servers over Remote desktop protocol.
“We have no need for an expensive SIEM system with many sophisticated functions. We wanted a centralised logs repository with analytical functions and sufficient performance. LOGmanager is available at a reasonable price and it uses a simple, that means no, licensing system. It fully meets our needs,” says Tomáš Hilmar, head of the IT Department at the Prague 3 Municipal District Authority.